Before the excitement that is creating a new SPF record, there are a few steps you should take in order to organize the information you will need to be successful.
Here is your “grocery” list of information you should know about your sending outgoing mail traffic:
- web server
- in-office mail server (e.g., Microsoft Exchange)
- your ISP's mail server
- mail server of your end users' home ISP
- any other mail server
Remember, only the final mail server matters. You do not need to include previous hops in the SPF record. However, you may want to consider whether your inbound mail gateways (MXs) will ever generate bounce messages, system reports, alerts, or other administrative messages.
Ok, so I have my information and I’m ready to start configuring an SPF record. What else should I know?
SPF limits you to only 10 look up mechanisms. Anything over 10 will result in an error with the receiver. To try and limit your look ups try considering listing IP4 or IP6 notations so the receiver can avoid DNS look ups entirely.
Publish SPF records for HELO names used by your mail server.
example.com. IN TXT "v=spf1 mx -all" mailserver.example.com. IN TXT "v=spf1 a -all"
Publishing a HELO rule involves creating an SPF record linked to the HELO Fully Qualified Domain Name (FQDN for short) used by your mail server.
It is best practice to configure a null SPF record for domains that do not send email. The reason for this is because the people who do use other domains to spoof, want to use a domain they believe is not used often and therefor most likely hasn’t been configured as strictly as domains that are in use more often.
Before you put your SPF records in play, you should use a SPF testing tool to ensure it is valid. An example of a popular tool would be: SPF Tools https://www.openspf.org/Tools. You can test and resolve any configuration issues before implementing it live.
I have my SPF configured and I’m ready to go!
Did you tell your senders that you have implemented SPF? It really is a good idea to keep your users in “the know”. Some mail clients may need to have SMTP authentication configured. Check with your email clients documentation for their own SPF configuration.
SPF is an important part of email authentication. SPF is allowing you to make the rules as to who can send on your domains behalf. As if that wasn’t a good enough reason, it is also one of the authentication methods used with DMARC.
For further information on SPF, please visit: www.openspf.org.